Nginx and wowza on port 80. How to configure - nginx

I have dedicated server with 1 IP. Nginx on port 80 used as reverse proxy. Behind nginx several backends (Apache, PHP Fast CGI)
I also have wowza. It works ok by RTMP on port 1935. I want to allow connect to wowza via RTMPT protocol on port 80.
Is it possible to configure nginx to proxy RTMPT requests to wowza server?
Wowza support didnt help
link1
link2

You can either configure Wowza to listen on port 80 ( without nginx, recommended ) or to use the RTMPT protocol which is RTMP on top of HTTP
Base Nginx only proxies HTTP(s) and SMTP
so yes, this should be possible but is probably slower ( higher protocol overhead, CPU footprint )
Example configuration in nginx
server
{
listen 80;
server_name _;
location /
{
proxy_set_header Host $host;
proxy_buffering Off;
proxy_pass http://127.0.0.1:YOUR_WOWZA_RTMPT_PORT;
}
}

Related

gunicorn reverse proxy accessible from internet

I configured nginx and gunicorn to serve flask app. And I started gunicorn with this command
gunicorn --bind 0.0.0.0:5000 wsgi:app My website is accessible from my provided ip address on port 80. However It is accessible on port 5000 as well. It seems my reverse proxy works as it should be, but gunicorn server can be accessible as well.
I'm planning to disable port 5000, but not sure this is the correct, secure way to solve such problem.
This is my nginx conf file:
server {
server_name <my_ip_adress>;
access_log /var/log/nginx/domain-access.log;
location / {
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_connect_timeout 10;
proxy_read_timeout 10;
# This line is important as it tells nginx to channel all requests to port 5000.
# We will later run our wsgi application on this port using gunicorn.
proxy_pass http://127.0.0.1:5000/;
}
}
You're binding gunicorn to 0.0.0.0 hence it's available on the external interfaces. Assuming this is just one box, instead:
gunicorn --bind 127.0.0.1:5000 wsgi:app
This no longer listens for requests from external interfaces, meaning all requests must come through nginx.
Of course if you did bind gunicorn to 0.0.0.0 you could make a firewall rule with iptables to DROP traffic to that port from external interfaces.
If you are using a cloud provider they may implement this firewall functionality natively on their platform - for example Security Groups on AWS EC2 would allow you to create a 'webserver' group which only allows traffic through for ports 80 & 443.

Trouble setting up NGINX behind pfSense Router

I'm attempting to setup an NGINX reverse proxy on my network, it is currently running on an Ubuntu VM. I'd like to run a website running in IIS, and another site running on Apache in a Linux VM behind the same public IP address. NGINX seemed like the perfect solution.
I've followed several guides and can't seem to get everything working. The NGINX config seems to work locally if I access the NGINX VM's IP directly it serves me the default config, and I can even change it between the IIS site, or the Apache site, and get it to work locally. My problem comes in with any external connection.
Previously my pfSense router was setup to forward port 80 and 443 to the IIS VM, and that was working fine, so I know at a basic level that pfSense was able to forward those ports to that windows client. Once I got NGINX setup I changed my port forwards for 80 and 443 to point to the VM running NGINX. Now none of my websites will work, the ip address for the domains resolves to my public IP, but the requests time out / never reach any web server.
nginx.conf is the default, I made no changes.
default nginx host conf:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
index index.html index.htm index.nginx-debian.html;
server_name _;
location / {
return 404;
}
}
Apache host conf:
server {
listen 80;
server_name domain.com;
location / {
proxy_pass http://0.0.0.0:80; # Apache internal IP
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
pfSense Port 80 Rule:
Action: Pass
Interface: WAN
Address Family: IPv4
Protocol: TCP
Source: Any
Destination: NGINX VM IP
From: 80
To: 80
I'm not getting any error messages in the console, in the NGINX log, etc. I'm honestly at a loss. Any advice would be greatly appreciated.
You have it set up so Apache is forwarding to Nginx. Your Nginx file is not forwarding anything. If Nginxis going to be the reverse proxy, then the location / { ... } components showing in the Apache config file need to be in the Nginx config file. Also, I would change "server name _" to show your domain name in the Nginx file.

Nginx win server 2012 - Configure proxy pass

I have a node server listening on localhost:8080 and I'd like to use nginx as proxy pass, so i made nginx listen to port 80 incoming connections. However I'm not able to configure nginx config to do the reverse proxying. I do not currently have a domain, only server IP. So I'm guessing server_name has to be set to $host or something?
events{
}
http{
server{
listen 80;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host 127.0.0.1;
}
}
}
If I try to visit my server IP on port 80 I just receive welcome to Nginx page.
You should reload and restart your nginx
sudo service nginx reload
sudo service nginx restart

nginx using custom port

I have installed LEMP on Ubuntu. I am using a port 4738 as an nginx listener. Everything works fine. I can access the page as 123.123.123.123:4738.
I do want to get rid of port in the url. How to do it? I have read many answers on SO and tried but didn't work for me. Following is an example:
port_in_redirect off;
location / {
proxy_pass http://123.123.123.123:4738;
}
and
proxy_redirect http://123.123.123.123 http://123.123.123.123:4738;
port_in_redirect off;
If you're not using the default port for the protocol, you have to have the port in the URL. You have to listen on port 80 if you expect to not have the port in your HTTP URL.
Configure your server to listen on port 80.

Can I redirect non-SSL traffic that comes in on an SSL port with Nginx

I have a fairly standard setup with nginx fronting a django app. I want the django app to be SSL only, and so I have two listen blocks in my nginx conf, with the traffic coming in on port 80 (HTTP) being redirected to port 443 (SSL). This is working as expected.
I am running this setup inside a VM that has port forwarding turned on, such that I can browser the site from the host machine by going to port 8080 (HTTP) or 8081 (SSL). Again, this work fine, as expected.
The problem comes when I am redirected internally from the Django app during a registration workflow. Because Django never sees the SSL status (SSL is terminated at nginx, and traffic to the app is forwarded on port 5000 over HTTP), but does see the port, the redirect is getting mangled**.
The net result of all of this is that I have traffic being directed into nginx on the SSL port, that is not SSL, e.g. http://127.0.0.1:443/. Is there any way to configure nginx to handle this?
** NB I am setting the X-Forwarded-Proto header in Nginx, and Django is picking up the correct .is_secure() value, this is a specific problem with an external library not checking is_secure and just redirecting on the incoming URL scheme.
[UPDATE 1]
Attached are the relevant config settings. This is from the Vagrantfile itself, showing the port forwarding:
config.vm.forward_port 80, 8080 # website, via nginx (redirects to SSL:8081)
config.vm.forward_port 443, 8081 # website, via nginx (accepts SSL)
config.vm.forward_port 5000, 8180 # website, via gunicorn (direct)
Using the above port forwarding configuration, if I browse to the site on the host machine on the HTTP port (8080), then the request is accepted, and nginx (see below) redirects this request to HTTPS (running on port 8081). Once I am on HTTPS the site itself works fine:
(host) http://127.0.0.1:8080 -> forwarded to -> (guest vm) http://127.0.0.1:80
(host) https://127.0.0.1:8081 -> forwarded to -> (guest vm) https://127.0.0.1:443
The problem occurs when I get a redirect internally from Django which mixed scheme & protocol, and ends up with a request to http:\\127.0.0.1:8081\..., which fails, as nginx is expecting traffic on 8081 to be SSL.
What I really want is a rule that says 'listen on 443 for both SSL and non-SSL and redirect non-SSL'.
This is the relevant nginx configuration:
# Django app is served by Gunicorn, running under port 5000 (via Foreman)
upstream gunicorn {
server 127.0.0.1:5000 fail_timeout=0;
}
server {
listen 80;
# 8081 is the port I am forwarding to on the host machine
rewrite ^ https://127.0.0.1:8081$request_uri? permanent;
}
server {
listen 443;
ssl on;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!ADH:!MD5;
ssl_prefer_server_ciphers on;
ssl_certificate /etc/nginx/ssl/self-signed.crt;
ssl_certificate_key /etc/nginx/ssl/self-signed.key;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
location /static/ {
alias /app/static/;
}
location /media/ {
alias /app/media/;
}
location / {
# everything else is to be served by the django app (upstream 'gunicorn')
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# this is set to ensure that django is_secure returns True
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_pass http://gunicorn;
}
}
You should check out "Error Processing" section of this document:
http://nginx.org/en/docs/http/ngx_http_ssl_module.html
Non-standard error code 497 may be used to process plain HTTP request which has been sent to HTTPS port.
Something like this should work (untested):
error_page 497 https://$host$request_uri;
Named locations may also be used in error_page, see http://nginx.org/r/error_page for details.

Resources